Editor's Note: I saw this item come across the newswires, and there is a specific quote which instantly grabbed my attention. (emboldened in RED and highlighted below)
Why did it grab my attention?
Because there are some who argue that a "floating" PIN Pad is secure, but based on information contained in the story below, it "appears" (just like a floating PIN Pad!) that it is NOT secure.
Keep in mind that a floating PIN Pad is nothing but a "graphical user interface" (GUI) and GUI's can be readily replicated by hackers.
Just as HomeATM replicated the conventional approach to PIN Debit and brought it to the web with our PCI 2.0 Certified SafeTPIN, a hacker could (make that "would" because, as it states below, they already have) replicate a software application and fool user's into entering their password's (PINs).
What a mess that will be. And guess who's going to be liable? Would it be the software application provider? That leaves the EFT Network or the Financial Institution? The only two other choices would be the merchant or the consumer. Anyone have any thoughts?
Source: ca
Complete item: http://community.ca.com/blogs/securityadvisor/archive/2009/04/22/banking-trojans-tips-and-tricks.aspx
Browser Impersonation
Win32/Bancos and Win32/Banker is a family of trojans that mostly target South American banks. These banks typically use the Portuguese language on their websites and in the example below you can see that the banking trojan managed to change the version of the web browser from English to Portuguese.
In the Process Explorer window shown in Figure 02, you can see that the process owning the Window Title - "http://www.bradesco.com.br - Microsoft Internet Explorer" is the banking Trojan, not Internet Explorer. The banking trojan now has control over the keyboard and can intercept login credentials entered on the website by the user.
Editor's Note: In a software PIN Debit application, you are instructed to "type" in you debit card's "primary account number" (PAN). So this is not good news for people who say that it's a secure application. In addition, it bodes well for my assertion that bank's should replace "username: password:" with our PCI 2.0 certified and much more secure SafeTPIN and use that as a log-in device.
Fake Login Page
Editor's Note: So there you have it. Anyone still think that a software PIN Debit application is secure?
Recommendation
In tough economic times like this, it is very important for us tounderstand the behavior of these threats and the associated risks.
E-Secure-IT
https://www.e-secure-it.com
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_slngRh3iMlD74LFdb5PNY3t3lj9rvYXEPH1JxypkaDdLx5jdgLYtxAHDSXLzw-R4N90Xa6yfWAA9nHt6gRPkT92Mz720zbffoR_fJsSjbXb-wBG2V-IE9VeIDKgjQ3vfD4Yd-Jd7y0j5785bddzpXe=s0-d)
0 comments